The Labour Party has been affected by a “cyber incident” involving its members’ data.
Labour said it was told on 29 October that it had been affected by the event by a third party firm that handled membership data on its behalf.
As a result, “a significant quantity” of party data was “rendered inaccessible on their systems”.
The Information Commissioner’s Office and National Cyber Security Centre are both looking into the incident.
In a statement, Labour said it was working closely with the two authorities, as well as the National Crime Agency, to find out what had happened.
The party also said it was “working closely and on an urgent basis with the third party in order to understand the full nature, circumstances and impact of the incident”, but that its own data systems were unaffected.
Labour has yet to reveal who the third party is, the scale of the incident or what type of data was affected.
But it did say the incident involved information provided to the party by its “members, registered and affiliated supporters, and other individuals who have provided their information”.
The Labour Party’s statement is vague and leaves a lot of questions for party members.
How many users have had their data compromised? What data is at stake? Does it include financial details or other sensitive information?
No doubt IT teams will be in full crisis mode trying to assess how bad the hack is.
They are also not saying what type of attack it is, but the statement makes it pretty clear that it is likely to be a ransomware attack.
Which means, someone, somewhere is demanding a ransom in exchange for safe return of the databases they have taken control of.
Like thousands of organisations in the last year, Labour – or rather the company that stores its data – is faced with the horrendous and controversial decision – to pay or not to pay cyber criminals.
A spokesman for the NCSC said: “We are aware of this issue and are working with the Labour Party to fully investigate and mitigate any potential impact.
“We would urge anyone who thinks they may have been the victim of a data breach to be especially vigilant against suspicious emails, phone calls or text messages and to follow the steps set out in our data breaches guidance.”